Facebook, Twitter, and Instagram, Oh My! How to Ensure HIPAA Compliance in An Era of Rapidly Developing Social Media

Jeana M. Singleton, Esq.Brennan, Manna & Diamond

Social Media Web-based platforms whereby users

communicate, network, and share user created content with others participating in the platform

Facebook, Twitter, Instagram, YouTube, LinkedIn, Foursquare, Yelp, Tumblr, blogs, user comments

2

Social Media Use In The Healthcare Industry

3

Social Media Commonly used for marketing purposes -

many hospitals now have their own Facebook or Twitter pages

Used in recruiting – LinkedIn

Employers often look at social media pages of job applicants

4

Increased Use of Health Care Social Media

5Source: http://www.jmir.org/2014/11/e264

Maps of Social Media Utilization for Hospitals Adjusted by Bed Count: November 2014

Increased Use of Health Care Social Media• Of 3,371 U.S. hospitals surveyed for a Journal of

Medical Internet Research November 2014 Publication:• 95% of hospitals have a Facebook page• 50% of hospitals have a Twitter page

• Of 64 Ohio health care organizations surveyed for the Mayo Clinic Social Media List as of January 2016:• 69% use Facebook • 64% use Twitter • 41% use YouTube• 39% use LinkedIn• 13% use a blog

6

Increased Use of Health Care Social Media

7Source: http://www.solomonmccown.com/2013/09/healthcare-in-the-digital-era/#YGXjR0pETft0TFqR.97

Patient Confidentiality And Social Media

8

HIPAA

Health care providers must keep a patient’s individually identifiable health information confidential, except in specific circumstances when disclosure is allowed.

9

Social Media Use Can Violate HIPAA

HIPAA violation occurred when grief counselor helped establish a Facebook group with teens. Counselor’s involvement amounted to HIPAA violation, even though teens could have started the group on their own.

10

Common Problems Discussion of patients through social media:

◦ Example 1: Doctor fired and fined by Rhode Island Board of Medicine for posting patient information on Facebook page. Although name was not used, could still identify patient.

◦ Example 2: Patient was involved in a crime and ER employee posted patient’s health information on Facebook.

◦ Example 3: Paramedic posted information on a social media site about a sexual assault victim. Patient filed a lawsuit against the paramedic and the emergency service he worked for due to privacy violations.

11

Common Problems Posting pictures of patients on Facebook an

Instagram:

◦ Example 1: Hospital workers, including nurses, took pictures of stabbed, dying man, posted on Facebook. Led to firings and suspensions.

◦ Example 2: Nursing aide took pictures of elderly patients using bedpans, posted on Facebook. She was sentenced to jail (served 8 days) for invasion of privacy.

◦ Example 3: Resident posted picture on Facebook of his suturing technique on patient. Also included summary of patient’s health history and medical state in the ER. Resident was disciplined.

12

Healthcare Providers Need To Adopt A Social Media Policy

13

Social Media and Patient Confidentiality Journal of the American Medical

Association 2012 survey:◦ Approximately 80% of medical and osteopathic boards surveyed indicated that they had received reports of online violations of patient confidentiality.

14

Nursing School Nightmares Nursing students at a Kansas

community college took pictures with a placenta during clinical lab at hospital and posted them on Facebook

College dismissed the students from the nursing program

Lawsuit ensues – due to expulsion without appeals process (due process claim)

15

One of the actual pictures posted on Facebook

Nursing School Nightmares U.S. District judge rules that because instructor gave

permission to take picture, there was implicit permission to show to others (i.e. post online)

No privacy right implicated by placenta

College did not have code of conduct relating to taking pictures in learning environment or prohibiting putting photos on Facebook

Court reinstates students- appeals process was unfair, were not allowed to argue they had permission. Procedural due process was violated

Takeaway: Have clear and concise social media policies in place

16

Social Media Policies And The Law

17

Social Media Policies and Employment Law Recent cases taken up by the National Labor

Relations Board (NLRB) for employees fired because of social media

Employees right to be protected from employer retaliation when engaging in “concerted activity”

NLRB released guidelines specifically for social media

18

National Labor Relations Act NLRA protects rights of employees: union

and non-union

Section 7 – protects an employee’s right to engage in concerted activities for the purpose of mutual aid and protection

19

“Concerted Activity” Activity by individual employees who are united

in the pursuit of a common goal. Action must be engaged with or on the authority of other employees, and not solely by and on behalf of the individual employee

Certain concerted activities are protected –activities for employees’ mutual aid or protection or efforts to improve working conditions. Includes scenarios where employees act to initiate group action, and also actions by individual employees bringing group complaints to the attention of management

20

Relation to Social Media Recently, the NLRB has focused on social media cases

Various Facebook postings have been held to be protected concerted activity, and provisions of employer’s social media policies have been deemed overly broad, and thus prohibited protected conduct in violation of NLRA.

Ex: Hospital employee posted negative comments on Facebook about a co-worker’s absence and was terminated. NLRB concluded that the hospital’s policy provided no specific guidance on what was not allowed (e.g. it didn’t describe what was “private” or “confidential” relating to any person or entity) and was overly broad in areas (e.g. didn’t define broad terms such as what constituted embarrassment by the hospital) without limiting conduct in any way that would exclude protected activity.

21

NLRB Guidance on Social Media Policies Employer policies should not be so sweeping that

they prohibit the kinds of activity protected by law, such as the discussion of wages or working conditions among employees.

◦ Example – policy cannot prohibit “making disparaging comments about company through any media or electronic media.” This is overly broad, needs limiting language that does not restrict NLRA rights.

An employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.

22

What should you do? Review policies. Do they broadly restrict

social media commentary? Must not restrict discussions relating to an employee’s terms and conditions of employment. Specifically outline types of posts that are prohibited.

Appropriate training for staff and employees to recognize what is and is not allowed on social media.

23

Suggested Elements of Social Media Policies No use of social media at work No use of patient’s name, pictures,

videos, or any other identifying information

No disparaging patients, even if not identifying them

24

Suggested Elements of Social Media Policies No disclosure of confidential information

relating to organization and employees

No stating that personal opinions are endorsed by organization

No use of company or school logo on personal social media pages – want to avoid any appearance that a personal page could be construed as being statements of the institution.

25

American Medical Association Social Media Policy AMA recently issued social media policy Focus on professionalism in the use of social

media Separate personal from professional with

online presence Encourage patient confidentiality and the use

of privacy settings on personal social media accounts to maintain personal and professional privacy

Maintain professional boundaries if interacting with patients online

26

LESSONS: Have clear and concise social media

policies in place! Define what is and what is not appropriate

use of social media by employees/ students. Provide examples.

Explicitly state that policy is not intended to interfere with protected activity or infringe upon employee’s rights.

27

LESSONS: Prohibit: false or obscene statements,

harassing language, discriminatory statements, posting of any patient-related information or discussion of patients in general

Include social media in all HIPAA training Monitor social media of employees/

students

28

LESSONS: Prohibit any unauthorized use of data Require employees/students to sign

acknowledgment that they have received and read social media policy

Explicitly state potential consequences and punishment and consistently enforce policy

This will help avoid lawsuits that will hurt your reputation and finances!

29

National Council of State Boards of Nursing Social Media Video

30

QUESTIONS?

Jeana SingletonBrennan, Manna & Diamond, LLC

75 East Market StreetAkron, Ohio 44308

330-253-2001

jmsingleton@bmdllc.com

31